1、
在21世纪这个信息化高度发达的年代,通过互联网来处理各种数据业务变得越来越广泛,几乎各行各业都离不开互联网,互联网行业的发展也相对的达到了一个前所未有的高度,互联网让我们的日常生活更加便利,我们对互联网的依赖程度也越来越高,特别是京东、亚马逊、易迅等电商的快速发展以及最近热门的互联网金融的出现更是将互联网的发展推向了一个前所未有的高度,然而互联网行业的发展不得不面对信息安全性的问题,数据的安全性特别是用户的私密性信息如何保证,互联网公司是如何保证自己的信息安全呢?京东、天猫、易迅等这些大的电商是如何加密来保证信息安全性?特别是申请一个CA价格昂贵,那又该如何自建CA呢?本博文根据自己对加密的理解简单介绍一下加密的原理、oepnssl的基本应用以及自建CA的实现过程。
2、加密的三种基本方式
1)对称加密、加密算法有:DES、3DES、AES、Blowfish、Twofish、IDEA、RC6、CAST5、Serpent
2)非对称加密,加密算法有:RSA、DSA、EIGamal
通过CA证书以及CA吊销列表来验证防止被冒充
3)单向加密,加密算法:MD5、SHA1、SHA512、CRC-32
4)PKI(公钥基础设施),目前大多数互联网公司采用此种机制保证安全性
3、加密的常用工具-openssl
对称加密:
对文件进行加密:
[root@localhost ~]# openssl enc -des3 -a -salt -in /etc/fstab -out /root/fstab.cipher enter des-ede3-cbc encryption password: Verifying - enter des-ede3-cbc encryption password: [root@localhost ~]# ls -l ./fstab.cipher -rw-r--r-- 1 root root 1118 Mar 19 17:52 ./fstab.cipher [root@localhost ~]# cat ./fstab.cipher U2FsdGVkX1+pP0xxwJRYkpfPW2rSkKY1qTIqrmbSD1WVk+8HoixNPxUP5GSpbd4e YJUhMCfVZwPLbKgTuWfUclPMox7yJ2o2kAwfi0WfAWORsOGyO9MENl0/l/iY1xJ/ s7zwqmJwycTib3fHleDmCkxiNm/X5969n1SCGiSKGElTTQYGE2295yP+RySmheU+ c3gwQrj2hDq7CPS038ZmnNsrRVlsTBykcLtxOxDvelckdSS3N3z6V6VmTSOcudqC ZfXPcAVYwLB5/9C+x/S1CjbBPzQM2i2PD8jG1V3g9V44xRVe/1lcJpSFkUyPxTkj a5NQZqi6JtXbSywY7cZjAHXu7F/DpTKUX3hLB8A+VuLLb8x2VI5uj+oCePFw7Exz xj51iJHsLmf9sXq2N6C+4ZlvHONXcD7K3WCQW/UwuYWGYY0sssuvbkyPMO5JEX9f qLzKxb79e9RUfg5KMTMaqmCHNtvmCWEBKZyeTIJmWKmzvOgnEy+BhqPhCfQMhEPf pbN3Yi+tVFs5GvyBN7MKV8vG3qoGJKzHG2Nn/RgvV/+GcnQZiRHYSdZjLxIUIuNj gZ5uJWif9vbdYRVB6KMbp2F50l41pUJFXFsRY+C6Fk/wcCcQJDakHGrKWWiC0yDm T5DdBsV0zy8A4EEtSxUa4TxWYgeLPBZSUDAxT9o5llzmX1QkP0TBNNEaITFKmsXJ 7Tv4V58JsiwxhmPvW+TirN7MLfK26/v+1TB+49DZjMQfSxS6aw9EAl+sk6LSrNwe XIdTzvQlkTPlxW4Lj8QqsAannfqVR8kQYvx9QnzSpjFiGHcG1fBsrG8oUeqWj7uY bN4AInv0V7Eq5kMb51XlZD4rxajgepdX8jjl/A5gCx+8BqLvqffkh99dem2ov9GY FSyT+tKT69YvuHITI1VbwD+4VrxyF558W3Gwo1T8D8XnSAYgfosM4Lly1np1UN0w VqlFDenH6sxslutag/CuKc5eNRZJf8mVk54QElL956APwPWSSlOtBzsBqA37M7MO QKR4tjITJYWxuup0rvagBJQ6fhHYqlU81rbGcHRBP5HeJ/D3gl6/ePnCAbHnpPeA rna7jWPVOEM= [root@localhost ~]#
对文件进行解密:
[root@localhost ~]# openssl enc -d -des3 -a -salt -in ./fstab.cipher -out ./fstab enter des-ede3-cbc decryption password: [root@localhost ~]# ls -l ./fstab -rw-r--r-- 1 root root 805 Mar 19 17:57 ./fstab [root@localhost ~]# cat ./fstab # # /etc/fstab # Created by anaconda on Fri Mar 14 08:41:02 2014 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # UUID=b7e89175-1bb1-4f9b-af34-7450d276bc62 / ext4 defaults 1 1 UUID=85a0d4fa-fc8b-4147-95ff-cdee4fbe5869 /boot ext4 defaults 1 2 UUID=02bca372-7b18-46b0-9c81-67b807847d36 swap swap defaults 0 0 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 [root@localhost ~]#
单向加密:加密不可逆,加密之后不能加密只能用来验证数据完整性
对文件进行加密:
[root@localhost ~]# ls anaconda-ks.cfg install.log install.log.syslog [root@localhost ~]# cp /etc/fstab . [root@localhost ~]# ls anaconda-ks.cfg fstab install.log install.log.syslog [root@localhost ~]# md5sum fstab 35a092e2a7f450fdc2d8fb0e48ba8f07 fstab [root@localhost ~]# openssl dgst -md5 fstab MD5(fstab)= 35a092e2a7f450fdc2d8fb0e48ba8f07 [root@localhost ~]#
温馨提醒:同一文件使用同一单向加密算法所得结果一致
公钥加密:公钥加密一般用来进行身份认证,生成一对密钥申请CA,由于其加密速度慢,很少用来加密数据。下边实现自建CA以及申请CA中会有公钥加密的使用,这里就不再列举。
4、自建CA并实现CA证书申请,架构图如下:
CA端生成密钥对:通过子进程只对自己有效的特性来设置umask直接取消密钥文件除宿之外用户的只读权限
[root@localhost ~]# cd /etc/pki/CA/ [root@localhost CA]# ls certs crl newcerts private [root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..........................................................+++ ........+++ e is 65537 (0x10001) [root@localhost CA]# ls -l private/cakey.pem -rw------- 1 root root 1675 Mar 19 18:55 private/cakey.pem [root@localhost CA]#
生成自签证书
[root@localhost ~]# cd /etc/pki/CA/ [root@localhost CA]# ls certs crl newcerts private [root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..........................................................+++ ........+++ e is 65537 (0x10001) [root@localhost CA]# ls -l private/cakey.pem -rw------- 1 root root 1675 Mar 19 18:55 private/cakey.pem [root@localhost CA]#
创建需要的文件:
[root@localhost CA]# touch index.txt serial crlnumber [root@localhost CA]# echo 01 > serial [root@localhost CA]#
应用服务器生成密钥,保存至应用此证书的服务的配置文件目录下,
[root@localhost ~]# mkdir /etc/httpd/ssl [root@localhost ~]# cd /etc/httpd/ssl [root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus ......................++++++ ...++++++ e is 65537 (0x10001) [root@localhost ssl]# ls -l total 4 -rw------- 1 root root 887 Mar 19 11:24 httpd.key [root@localhost ssl]#
生成证书签署请求
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Guangdong Locality Name (eg, city) [Default City]:Shenzhen Organization Name (eg, company) [Default Company Ltd]:mesada Organizational Unit Name (eg, section) []:Linux Operation Common Name (eg, your name or your server's hostname) []:ca.mesada.com Email Address []:caadmin@mesada.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost ssl]# ls -l httpd.csr -rw-r--r-- 1 root root 720 Mar 19 11:27 httpd.csr [root@localhost ssl]#
将请求文件发往CA
[root@localhost ssl]# ls httpd.csr httpd.key [root@localhost ssl]# scp httpd.csr root@172.16.5.3:/etc/pki/CA The authenticity of host '172.16.5.3 (172.16.5.3)' can't be established. RSA key fingerprint is b1:b0:d8:51:a6:10:63:6f:ec:9a:47:96:2b:81:f4:75. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.5.3' (RSA) to the list of known hosts. root@172.16.5.3's password: httpd.csr 100% 720 0.7KB/s 00:00 [root@localhost ssl]#
CA签署证书
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# ls -l httpd.csr
-rw-r--r-- 1 root root 720 Mar 19 19:28 httpd.csr
[root@localhost CA]# openssl ca -in httpd.csr -out httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 19 11:31:27 2014 GMT
Not After : Mar 16 11:31:27 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = Guangdong
organizationName = mesada
organizationalUnitName = Linux Operation
commonName = ca.mesada.com
emailAddress = caadmin@mesada.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
20:EB:87:77:A1:8B:2C:04:B0:B9:08:29:4D:57:F3:81:29:9B:56:3F
X509v3 Authority Key Identifier:
keyid:6E:55:BA:24:FB:A2:5E:A1:46:8F:55:AE:5E:91:32:F4:0A:B3:9E:A2
Certificate is to be certified until Mar 16 11:31:27 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
将证书传回请求者
[root@localhost CA]# scp httpd.crt root@172.16.5.6:/etc/httpd/ssl The authenticity of host '172.16.5.6 (172.16.5.6)' can't be established. RSA key fingerprint is 4e:15:59:c4:6e:b3:10:5b:46:e5:a8:b5:2d:05:29:be. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.5.6' (RSA) to the list of known hosts. root@172.16.5.6's password: httpd.crt 100% 3929 3.8KB/s 00:00 [root@localhost CA]#
查看证书
[root@localhost ssl]# ls -l httpd.crt
-rw-r--r-- 1 root root 3929 Mar 19 11:33 httpd.crt
[root@localhost ssl]# cat httpd.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Guangdong, L=Shenzhen, O=mesada, OU=Linux Operation, CN=ca.mesada.com/emailAddress=caadmin@mesada.com
Validity
Not Before: Mar 19 11:31:27 2014 GMT
Not After : Mar 16 11:31:27 2024 GMT
Subject: C=CN, ST=Guangdong, O=mesada, OU=Linux Operation, CN=ca.mesada.com/emailAddress=caadmin@mesada.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:f1:f6:5b:ad:82:7c:ca:27:df:7d:64:d2:bb:02:
69:81:3a:c0:10:1c:a8:d0:be:12:d3:e5:d6:02:b2:
3c:ee:49:9f:db:67:9e:65:3d:5f:36:8e:c2:0e:3b:
33:7e:b5:9a:25:e0:61:96:8f:79:e9:86:ca:d4:77:
6e:8a:b5:d2:f9:0e:72:f7:0b:dd:e6:55:63:ce:06:
ee:0f:6c:2d:44:68:4d:bd:02:11:79:7c:1d:fb:06:
49:cf:f4:ff:3d:e7:6b:99:74:5b:43:3a:de:ab:83:
a1:e0:d3:fe:64:f9:17:59:64:7a:c2:da:a5:46:8c:
74:94:93:9b:49:78:bc:cb:db
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
20:EB:87:77:A1:8B:2C:04:B0:B9:08:29:4D:57:F3:81:29:9B:56:3F
X509v3 Authority Key Identifier:
keyid:6E:55:BA:24:FB:A2:5E:A1:46:8F:55:AE:5E:91:32:F4:0A:B3:9E:A2
Signature Algorithm: sha1WithRSAEncryption
15:c0:88:62:d1:e1:fe:f5:6d:95:f9:41:a3:51:f7:13:39:cb:
dc:1d:ef:22:5b:77:e1:a2:3b:38:c5:85:b7:ad:b4:ac:18:93:
7c:0b:95:0c:32:a8:33:0d:d5:34:47:57:ae:b6:a5:04:6c:cc:
81:0b:64:97:a1:c9:91:ed:56:1b:da:0a:62:34:7a:48:8d:07:
3e:00:c2:df:53:fd:0d:a2:8a:84:33:af:5a:1c:c6:81:3c:22:
e3:da:7e:ab:00:2e:57:8f:ba:34:2d:1d:06:5a:ce:d6:2a:f3:
6c:67:da:12:cf:94:54:19:9e:10:d3:38:d9:6d:ac:a8:06:34:
a1:3c:95:3a:ba:3a:44:23:c1:c1:4f:31:d8:93:1a:09:58:80:
d0:62:3f:00:a1:89:ec:ce:48:e9:86:1b:56:65:0f:84:90:9d:
9d:ee:94:09:25:2a:81:13:eb:61:e6:36:55:19:f6:22:34:94:
27:38:db:12:df:c0:f4:c1:80:b9:4d:36:43:1a:fe:1b:80:f5:
1c:25:6f:1d:8e:fa:6e:53:25:9c:47:54:82:c4:82:2c:1e:14:
68:6f:9c:ce:79:9c:45:38:e1:b0:d8:60:df:f2:f9:d1:d3:67:
cf:6e:d4:6f:75:f8:c2:65:0b:9e:97:b4:02:a9:34:3a:99:65:
9a:dd:f7:c1
-----BEGIN CERTIFICATE-----
MIIDlTCCAn2gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmjELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDzANBgNVBAoM
Bm1lc2FkYTEYMBYGA1UECwwPTGludXggT3BlcmF0aW9uMRYwFAYDVQQDDA1jYS5t
ZXNhZGEuY29tMSEwHwYJKoZIhvcNAQkBFhJjYWFkbWluQG1lc2FkYS5jb20wHhcN
MTQwMzE5MTEzMTI3WhcNMjQwMzE2MTEzMTI3WjCBhzELMAkGA1UEBhMCQ04xEjAQ
BgNVBAgMCUd1YW5nZG9uZzEPMA0GA1UECgwGbWVzYWRhMRgwFgYDVQQLDA9MaW51
eCBPcGVyYXRpb24xFjAUBgNVBAMMDWNhLm1lc2FkYS5jb20xITAfBgkqhkiG9w0B
CQEWEmNhYWRtaW5AbWVzYWRhLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA8fZbrYJ8yifffWTSuwJpgTrAEByo0L4S0+XWArI87kmf22eeZT1fNo7CDjsz
frWaJeBhlo956YbK1HduirXS+Q5y9wvd5lVjzgbuD2wtRGhNvQIReXwd+wZJz/T/
PedrmXRbQzreq4Oh4NP+ZPkXWWR6wtqlRox0lJObSXi8y9sCAwEAAaN7MHkwCQYD
VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
aWNhdGUwHQYDVR0OBBYEFCDrh3ehiywEsLkIKU1X84Epm1Y/MB8GA1UdIwQYMBaA
FG5VuiT7ol6hRo9Vrl6RMvQKs56iMA0GCSqGSIb3DQEBBQUAA4IBAQAVwIhi0eH+
9W2V+UGjUfcTOcvcHe8iW3fhojs4xYW3rbSsGJN8C5UMMqgzDdU0R1eutqUEbMyB
C2SXocmR7VYb2gpiNHpIjQc+AMLfU/0NooqEM69aHMaBPCLj2n6rAC5Xj7o0LR0G
Ws7WKvNsZ9oSz5RUGZ4Q0zjZbayoBjShPJU6ujpEI8HBTzHYkxoJWIDQYj8AoYns
zkjphhtWZQ+EkJ2d7pQJJSqBE+th5jZVGfYiNJQnONsS38D0wYC5TTZDGv4bgPUc
JW8djvpuUyWcR1SCxIIsHhRob5zOeZxFOOGw2GDf8vnR02fPbtRvdfjCZQuel7QC
qTQ6mWWa3ffB
-----END CERTIFICATE-----
[root@localhost ssl]#
如果密钥丢失,要及时吊销证书
[root@localhost CA]# openssl ca -revoke httpd.crt Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated [root@localhost CA]#
转载于:https://blog.51cto.com/il23f/1379552
扫一扫
504
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
